Professional Documents
Culture Documents
1Hw6Fuhhq&Rqfhsw ( (Dpsohv
1Hw6Fuhhq&Rqfhsw ( (Dpsohv
([DPSOHV
&RS\ULJKW 1RWLFH
NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com
energy. If it is not installed in accordance with NetScreens installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
)&& 6WDWHPHQW
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency
'LVFODLPHU
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
&RQWHQWV
&RQWHQWV
3UHIDFH Y
&RQYHQWLRQV YL
:HE8, 1DYLJDWLRQ &RQYHQWLRQV YL ([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ YL &/, &RQYHQWLRQVYLL 'HSHQGHQF\ 'HOLPLWHUVYLL 1HVWHG 'HSHQGHQFLHV YLL $YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV YLLL
263) &RPPDQGV
263) &RQWH[W ,QLWLDWLRQ
1HW6FUHHQ &RQFHSWV
&RQWHQWV 6HWWLQJ D 1HLJKERU /LVW IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ D 1HLJKERU /LVW 6HWWLQJ D 5HWUDQVPLW ,QWHUYDO IRU DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 5HWUDQVPLW ,QWHUYDO 6HWWLQJ D 3ULRULW\ 9DOXH RQ DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 3ULRULW\ 9DOXH 6HWWLQJ D 7UDQVLW 'HOD\ 9DOXH RQ DQ 263) ,QWHUIDFH ([DPSOH &RQILJXULQJ WKH 7UDQVLW 'HOD\
1HW6FUHHQ &RQFHSWV
LL
&RQWHQWV &RQILJXULQJ DQ 5)& (QYLURQPHQW ([DPSOH &KDQJH WR DQ 5)& (QYLURQPHQW ([DPSOH ,JQRULQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV
,QGH[ ,;,
1HW6FUHHQ &RQFHSWV
LLL
&RQWHQWV
1HW6FUHHQ &RQFHSWV
LY
3UHIDFH
Routing is an essential part of security devices. Without routing, the security devices could not effectively forward secure traffic to desired destinations. Dynamic routing shortens the time between changes in network topology and the forwarding of traffic on the network. Volume 5, Dynamic Routing describes how to configure Open Shortest Path First (OSPF) and Border Gateway (BGP). This volume describes the following: Overview of OSPF, OSPF commands, basic configuration, advanced configuration Overview of BGP, BGP commands, basic configuration, advanced configuration
1HW6FUHHQ &RQFHSWV
&RQYHQWLRQV
&219(17,216
This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI) and the command line interface (CLI). The conventions used for both are introduced below.
1HW6FUHHQ &RQFHSWV
YL
&RQYHQWLRQV
&/, &RQYHQWLRQV
Each CLI command description in this manual reveals some aspect of command syntax. This syntax may include options, switches, parameters, and other features. To illustrate syntax rules, some command descriptions use dependency delimiters. Such delimiters indicate which command features are mandatory, and in which contexts.
'HSHQGHQF\ 'HOLPLWHUV
Each syntax description shows the dependencies between command features by using special characters. The { and } symbols denote a mandatory feature. Features enclosed by these symbols are essential for execution of the command. The [ and ] symbols denote an optional feature. Features enclosed by these symbols are not essential for execution of the command, although omitting such features might adversely affect the outcome. The | symbol denotes an or relationship between two features. When this symbol appears between two features on the same line, you can use either feature (but not both). When this symbol appears at the end of a line, you can use the feature on that line, or the one below it.
1HVWHG 'HSHQGHQFLHV
Many CLI commands have nested dependencies, which make features optional in some contexts, and mandatory in others. The three hypothetical features shown below demonstrate this principle. [ feature_1 { feature_2 | feature_3 } ] The delimiters [ and ] surround the entire clause. Consequently, you can omit feature_1, feature_2, and feature_3, and still execute the command successfully. However, because the { and } delimiters surround feature_2 and feature_3, you must include either feature_2 or feature_3 if you include feature_1. Otherwise, you cannot successfully execute the command. The following example shows some of the feature dependencies of the set interface command. set interface vlan1 broadcast { flood | arp [ trace-route ] }
1HW6FUHHQ &RQFHSWV
YLL
&RQYHQWLRQV
The { and } brackets indicate that specifyng either flood or arp is mandatory. By contrast, the [ and ] brackets indicate that the trace-route option for arp is not mandatory. Thus, the command might take any of the following forms: ns-> set interface vlan1 broadcast flood ns-> set interface vlan1 broadcast arp ns-> set interface vlan1 broadcast arp trace-route
1HW6FUHHQ &RQFHSWV
YLLL
1HW6FUHHQ 'RFXPHQWDWLRQ
1(76&5((1 '2&80(17$7,21
To obtain technical documentation for any NetScreen product, visit www.netscreen.com/support/manuals.html. To access the latest NetScreen documentation, see the Current Manuals section. To access archived documentation from previous releases, see the Archived Manuals section. To obtain the latest technical information on a NetScreen product release, see the release notes document for that release. To obtain release notes, visit www.netscreen.com/support and select Software Download. Select the product and version, then click Go. (To perform this download, you must be a registered user.) If you find any errors or omissions in the following content, please contact us at the e-mail address below: techpubs@netscreen.com
1HW6FUHHQ &RQFHSWV
L[
1HW6FUHHQ 'RFXPHQWDWLRQ
1HW6FUHHQ &RQFHSWV
8uhr
This chapter describes the Open Shortest Path First (OSPF) routing protocol. The following topics are covered:
1HW6FUHHQ &RQFHSWV
Setting a Neighbor List for an OSPF Interface on page 23 Setting a Retransmit Interval for an OSPF Interface on page 24 Setting a Priority Value on an OSPF Interface on page 25 Setting a Transit Delay Value on an OSPF Interface on page 26 OSPF Virtual Link Configuration on page 27 Creating a Virtual Link on page 27 Automatically Creating a Virtual Link on page 28 Creating a Message Digest for a Virtual Link on page 29 Configuring a Clear-Text Password for a Virtual Link on page 30 Creating a Dead Interval for a Virtual Link Neighbor on page 31 Configuring a Retransmit Interval for a Virtual Link on page 33 Configuring a Transit Delay Value for a Virtual Link on page 34 OSPF Information on page 35 Displaying Statistics for an OSPF Routing Instance on page 35 Displaying Details about Redistribution Conditions on page 37 Displaying Details about Redistributed Routes on page 38 Displaying Objects in the OSPF Database on page 39 Displaying Stub Details on page 40 Displaying OSPF Configuration on page 41 Other OSPF Configuration on page 42 Binding OSPF to a Tunnel Interface on page 42 Announcing a Default Route in All Areas on page 43 Configuring Summary Routes on page 44 Removing a Default Route on page 46 Setting an Area Range on page 47 Setting a Hello Flood Attack Threshold on page 48 Setting an LSA Threshold on page 49 Configuring an RFC-1583 Environment on page 50
([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
29(59,(: 2) 263)
The Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) intended to operating within a single Autonomous System (AS). A router running OSPF distributes its state information (i.e, usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs) throughout the AS. Each OSPF router uses LSAs from neighboring routers to maintain a link-state database. The link-state database is a listing of topology and state information for the surrounding networks. The constant distribution of LSAs throughout the As enables all routers in an AS to maintain an identical link-state database. OSPF uses the link-state database to determine the best path to any network within the AS. This is done by generating a shortest-path tree, which is a graphical representation of the shortest path to any network within the AS. While all routers have the same link state database, they all have unique shortest-path trees because routers always generate the tree with themselves at the top (root) of the tree. More information on LSAs, link-state databases, and areas are covered later in this chapter.
$UHDV
OSPF allows networks to be grouped together logically or geographically by the use of areas. Areas also reduce the amount of routing information passed throughout the network because a router only maintains a link-state database for the area it resides in. No link-state information is maintained for networks/routers outside the local area. By default all routers are grouped into a single backbone area called area 0 (usually denoted as area 0.0.0.0). However, large geographically dispersed networks are typically segmented into multiple areas. This is because as networks grow, link-state databases grow and dividing the link-state database into smaller groups allows for better scalability. It is important to note that all areas must be directly connected to area 0, with only one exception to be covered later.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
A router that is placed between two areas is called an area border router and because all areas must be directly connected to area 0, any area outside of the backbone area is called a stub area. There are two common types of stub areas used in OSPF, both with their own characteristics: Stub area - An area that receives route summaries from the backbone area but does not receive link-state advertisements from other areas for routes learned through non-OSPF sources (i.e. BGP). A stub area can be considered a Totally Stubby Area if no summary routes are allowed in the stub area. Not So Stubby Area (NSSA) - Like a normal stub area, NSSAs cannot receive routes from non-OSPF sources outside the current area. However, external routes learned within the area can be learned and passed to other areas.
Areas are configured at the VR level first, then interfaces can be configured to reside in areas defined at the VR level.
5RXWHU &ODVVLILFDWLRQ
Routers that participate in OSPF routing are classified according to their function or location in the network: Internal Router - A router with all interfaces belonging to the same area. Backbone Router - A router that has an interface in the backbone area. Area Border Router - When an OSPF area borders another area, the router between the two areas is called an area border router. An area border router (ABR) is a router that has interfaces in multiple areas, one of which is the backbone area. An ABR summarizes the routes from the non-backbone area for distribution back to area 0. If a second area is created within ScreenOS, the device functions as an ABR. AS Boundary Router - When an OSPF area borders another AS, the router between the two autonomous systems is called an autonomous system boundary router (ASBR). An ASBR is responsible for advertising external AS routing information throughout an AS.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
+HOOR 3URWRFRO
Two routers with interfaces on the same subnet are considered neighbors. Routers use the hello protocol to establish and maintain these neighbor relationships. When two routers establish bidirectional communication, they are said to have established an adjacency. If two routers do not establish an adjacency, they cannot exchange routing information. In cases were there are multiple routers on a network, it is necessary to establish one router as the designated router (DR) and another as the backup designated router (BDR). The designated router is solely responsible for flooding the network with LSAs containing a list of all OSPF-enabled routers attached to the network. The DR is considered the most important router in an OSPF network because it is the only router that can form adjacencies with other routers on the network. Therefore, the DR is the only router on a network that can provide routing information to other routers. It is this type of hierarchy that enables OSPF to scale while minimizing network chatter. The BDR is responsible for becoming the designated router if the DR should fail.
1HWZRUN 7\SHV
ScreenOS supports the following network types: Broadcast Networks Non-Broadcast Networks Point-to-Point Networks
%URDGFDVW 1HWZRUNV
A broadcast network is a network that connects many routers together and can send, or broadcast, a single physical message to all the attached routers. Pairs of routers on a broadcast network are assumed to be able to communicate with each other. Ethernet is an example of a broadcast network. On broadcast networks, the OSPF router dynamically detects its neighbor routers by sending Hello packets to the multicast address 224.0.0.5. For broadcast networks, the Hello protocol elects a Designated Router and Backup Designated Router for the network.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
1RQ%URDGFDVW 1HWZRUNV
A non-broadcast network is a network that connects many routers together but cannot broadcast messages to attached routers. On non-broadcast networks, OSPF protocol packets that are normally multicast need to be sent to each neighboring router. On non-broadcast networks, OSPF runs in one of two modes: Non-broadcast multi-access (NBMA) simulates OSPF operation on a broadcast network Point-to-multipoint considers the network to be a collection of point-to-point networks
On non-broadcast networks, you will need to enter configuration information in order for the OSPF router to discover its neighbors. For NBMA networks, the Hello protocol elects a Designated Router and Backup Designated Router for the network.
3RLQWWR3RLQW 1HWZRUNV
A point-to-point network typically joins two routers over a Wide Area Network (WAN). An example of a point-to-point network is two routers connected by a 56Kb serial line. On point-to-point networks, the OSPF router dynamically detects neighbor routers by sending Hello packets to the multicast address 224.0.0.5.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
Summary LSA
Area
Describes a route to a destination outside the area but still inside the AS. There are two types:
- Type 3 summary-LSAs describe routes to networks. - Type 4 summary-LSAs describe routes to AS boundary routers.
AS-External
Autonomous System
Routes to a network in another AS. Often, this is the default route (0.0.0.0/0).
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
263) $XWKHQWLFDWLRQ
ScreenOS provides simple password and MD5 authentication to validate OSPF packets received from neighbors. Authentication can be configured at the virtual router level; in this case, all OSPF interfaces associated with the virtual router use the same authentication method. Authentication can also be configured at the interface level.
1HW6FUHHQ &RQFHSWV
2YHUYLHZ RI 263)
1HW6FUHHQ &RQFHSWV
263) &RPPDQGV
263) &200$1'6
Use the ospf context commands and the interface commands to configure OSPF in a NetScreen device.
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > trust-vr : Select Create OSPF Instance , and then click OK .
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr)-> save Note: Use the unset protocol ospf command to disable OSPF instances.
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Delete OSPF Instance.
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> unset enable ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area: Enter the following, and then click OK : Area ID: 10 Type: stub Action: Add
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set area 10 stub ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for Area 10) > ethernet1: Use the Add button to move the interface from the Available Interfaces column to the Selected Interfaces column. Click OK.
&/,
1. 2. ns-> set interface ethernet1 protocol ospf area 10 ns-> save
1HW6FUHHQ &RQFHSWV
5HGLVWULEXWLQJ 5RXWHV
Redistribution is the process of importing a route into the current routing domain from another part of the network that uses another routing protocol. This process allows the translation of routing information, particularly known routes, from the other routing protocol. For example, if you are on an OSPF network and a BGP network, the OSPF domain can import all known routes from the BGP network to allow devices in the OSPF routing domain to reach devices on the BGP network. When a route is redistributed, it affects the number of external LSAs generated in a given domain. For external LSAs to be advertised, the router performs redistribution. To configure route redistribution, determine which routing protocol is the source of the routes and which routing protocol is the destination, or target, protocol that will advertise these newly-learned external routes. Because different protocols are imported using different preferences, redistribution provides a local preference value as a way of comparing path desirability between protocols. When you configure route redistribution, you must first specify a route map that defines the routes to be distributed. For more information on configuring route maps, refer to Route Redistribution on page 2 -74. You can redistribute routes using either the WebUI or the CLI set redistribute route-map commands.
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules: Enter the following, and then click Add : Route Map: map1 Protocol: BGP
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set redistribute route-map map1 protocol bgp ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Note: You can only view OSPF configuration details for an interface through the CLI.
&/,
ns-> get interface ethernet1 protocol ospf VR: trust-vr RouterId: 212.1.1.1 ---------------------------------Interface: ethernet2/1 IpAddr: 20.20.20.20/16, OSPF: enabled, Router: enabled Type: Ethernet Area: 0.0.0.10 Priority: 100 Cost: 1 Transit delay: 60s Retransmit interval: 5s Hello interval: 10s Router Dead interval: 40s Authentication-Type: MD-5 Authentication-Key: **************** MD-5 KeyId: 1 State: Designated Router DR: 20.20.20.20(self) BDR: 0.0.0.0 Neighbors: Valid neighbor access list numbers in Vrouter (trust-vr) ---------------------------------------------------------------------1HW6FUHHQ &RQFHSWV ([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Password: (select), 12345678
&/,
1. 2. ns-> set interface ethernet1 protocol ospf authentication password 12345678 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : MD5 Key: (select), 1234567890123456 Key ID: 1
&/,
1. 2. ns-> set interface ethernet1 protocol ospf authentication md5 1234567890123456 key 1 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Cost: 20
&/,
1. 2. ns-> set interface ethernet1 protocol ospf cost 20 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Neighbor Dead Interval: 100
&/,
1. 2. ns-> set interface ethernet1 protocol ospf dead-interval 100 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Hello Interval: 100
&/,
1. 2. ns-> set interface ethernet1 protocol ospf hello-interval 100 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Neighbor List: 4 | 5 | 6
&/,
1. 2. ns-> set interface ethernet1 protocol ospf neighbor-list 4 5 6 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply : Retransmit Interval: 100
&/,
1. 2. ns-> set interface ethernet1 protocol ospf retransmit-interval 100 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Type 100 in the Priority field, and then click Apply .
&/,
1. 2. ns-> set interface ethernet1 protocol ospf priority 100 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Type 10 in the Transit Delay field, and then click Apply .
&/,
1. 2. ns-> set interface ethernet1/1 protocol ospf transit_delay 10 ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20
&/,
1. 2. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router-id 10.10.10.20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Automatically generate virtual links and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set auto-vlink ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: Enter the following, and then click OK : Authentication MD5: (select) MD5 Key (16 characters): 1234567890123456
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area-id 0.0.0.10 router-id 10.10.10.20 authentication-type md5 1234567890123456 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: Enter the following, and then click OK : Authentication Password: (Selected) Password (8 characters): 12345678
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area-id 0.0.0.10 router-id 10.10.10.20 authentication-type password 12345678 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Router Dead Interval field, type 50 , and then click OK :
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 dead-interval 50 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Hello Interval field, type 30 , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 hello-interval 30 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Retransmit Interval field, type 20, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 retransmit-interval 20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following, and then click Add : Area ID: 0.0.0.10 Router ID: 10.10.10.20 > Configure: In the Transit Delay field, type 100 , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router-id 10.10.10.20 transit-delay 100 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
263) ,1)250$7,21
This section describes tasks for displaying OSPF information.
:HE8,
Note: You can only display these statistics through the CLI.
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get statistics VR: untrust-vr RouterId: 0.0.0.0 ---------------------------------Packet Type Transmit Receive --------------------------------------------------------------------Hello 0 0 LS Request 0 0 LS Acknowledge 0 0 LS Update 0 0 Database Desc 0 0 AreaId SPF Runs -------------------------------------------0.0.0.0 1 0.0.0.10 0 Packets Dropped: None Receive Errors: None Bad LS Requests: 0 Note: Use the clear command to reset all packet types to 0.
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get rules-redistribute VR: trust-vr RouterId: 1.1.1.2 ---------------------------------trust-vr ========== Redistribution Rules -------------------------------------------------IP-Prefix Source-Protocol Cost ASE-Type Tag ------------------------------------------------------------------------------100.123.1.4/16 any 10 1 0.0.0.10
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
:HE8,
Note: You can only display these details through the CLI.
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get routes-redistribute VR: trust-vr RouterId: 1.1.1.2 ---------------------------------IP-Prefix Cost ASE-Type Forwarding-IP Tag ---------------------------------------------------------------1.1.1.0 20 1 0.0.0.0 0.0.0.0
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
:HE8,
Note: You can only use the CLI to display these statistics.
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get database area 0 router Link-State-Id Adv-Router-IDAge Sequence Checksum ---------------------------------------------------------20 1.1.1.0 20 2 1
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get stub VR: untrust-vr RouterId: 0.0.0.0 ---------------------------------Area-ID: 0.0.0.10 (Stub) Total number of interfaces is 0, Active number of interfaces is 0 Route Imports: None, SPF Runs: 0 Number of ABR(s): 0, Number of ASBR(s): 0 Number of LSA(s): 0, Checksum: 0x0 Default route metric type is ext-type-1, metric is 1 Type-3 LSA Filter: disabled
1HW6FUHHQ &RQFHSWV
263) ,QIRUPDWLRQ
:HE8,
Note: To view the OSPF commands, you must use the CLI.
&/,
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get config VR: untrust-vr RouterId: 0.0.0.0 ---------------------------------set protocol ospf set disable set auto-vlink set advertise-def-route always metric 10 metric-type 1 set area 0.0.0.10 nssa exit
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure: Enter the following, and then click Apply : Available Interfaces: tunnel.1 Use the Add button to move the tunnel.1 interface from the Available Interfaces column to the Selected Interfaces column.
&/,
1. 2. ns-> set interface tunnel.1 protocol ospf ns-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Advertising Default Route Enable , and then click OK . Note: The default metric is 1 and the default metric-type is ASE type 1.
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set advertise-default-route always metric 1 metric-type 1 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Summary Import: Enter the following, and then click Add : IP/Netmask: 2.1.1.0/16 Tag: 20
&/,
1. 2. 3. 4. 5. 6. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set redistribute route-map abcd protocol static ns(trust-vr/ospf)-> set redistribute route-map abcd protocol bgp ns(trust-vr/ospf)-> set summary-import 2.1.1.0/16 tag 20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the Do not add default-route learned in OSPF check box and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set reject-default-route ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for 0.0.0.10): Enter the following, and then click OK : IP: 20.20.0.0 NetMask: 255.255.0.0 Type: (select) Advertise Action: Add
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set area 0.0.0.10 range 20.20.0.0/16 advertise ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then click Apply : Prevent Hello Packet Flooding Attack: On Max hello packet: 20
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set hello-threshold 20 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then click OK : LSA Packet Threshold Time: 10 Maximum LSAs: 10
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set lsa-threshold 10 10 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the rfc-1583 compatible check box, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set rfc-1583 ns(trust-vr/ospf)-> save
1HW6FUHHQ &RQFHSWV
8uhr!
BGP is a routing protocol for communication between autonomous systems (ASs) on the internet. Peer routers in each AS use BGP to exchange routing information. Each BGP peer router requires explicit configuration with the network-layer reachability information it advertises to (and accepts from) peer devices. This chapter describes important and commonly-used procedures for configuring your local virtual router for BGP environments. The BGP Commands on page 53 Basic BGP Configuration Tasks on page 57 Creating a BGP Instance of the Virtual Router on page 57 Specifying Reachable Networks from an AS on page 58 Enabling Aggregate Routes on page 59 Enabling Redistribution on page 60 Configuring a BGP Neighbor on page 61 Enabling a BGP Peer with an IP Address on page 62 Configuring a Hold Timer on page 63 Configuring a Keepalive Timer on page 64 Enabling Route Flap Damping on page 65 Discarding Default Route Advertisements from a Peer Router on page 66 Advanced BGP Configuration Tasks on page 67 Applying a Route Map to Routes from Specified Neighbors on page 67 Assigning a Weight to a Path on page 68 Setting an AS Path Access List on page 69 Configuring a Community List on page 70
1HW6FUHHQ &RQFHSWV
Setting a Local Preference on page 73 Setting a Multi-Exit Discriminator (MED) on page 74 Setting a Multi-Exit Discriminator (MED) Comparison on page 75 Configuring a Route Reflector on page 76 Setting a Neighbor as a Route Reflector Client on page 77 Configuring a Confederation on page 78 Adding an AS Member to a Confederation on page 79
1HW6FUHHQ &RQFHSWV
&RQWH[W ,QLWLDWLRQ
Before you can execute a BGP command, you must initiate the bgp context. Initiating the bgp context requires two steps: 1. Enter the vrouter context by executing the set vrouter command: ns-> set vrouter vrouter where vrouter is the name of the virtual router. (For this example, vrouter is the trust-vr virtual router.) 2. Enter the bgp context by executing the set protocol bgp command. ns(trust-vr)-> set protocol bgp For more information on contexts, see Context-Sensitive Commands in the CLI on page 2 -58.
1HW6FUHHQ &RQFHSWV
always-compare-med
as-path-access-list
Use as-path-access-list commands to create, remove, or display a regular expression in an AS-Path access list. An AS-path access list serves as a packet filtering mechanism. The NetScreen device can consult such a list and permit or deny BGP packets based on the regular expressions contained in the list. Command options: get, set, unset Use community-list commands to enter a router in a community list, to remove a router from the list, or to display the list. A community consists of routes containing the same community attribute. This attribute is an identifier that classifies the routes according to some useful criterion. All routes with the same community attribute are said to be members of the same community. Routers can use the community attribute when they need to treat two or more advertised routes in the same way. Command options: get, set, unset
community-list
1HW6FUHHQ &RQFHSWV
confederation
Use the confederation commands to create a confederation, to remove a confederation, or to display confederation information. Confederation is a technique for dividing an AS into smaller sub-ASs and grouping them. Using confederations reduces the number of connections inside an AS, thus simplifying the routing process. Command options: get, set, unset Use the enable commands to enable or disable BGP. Command options: get, set, unset Use the flap-damping commands to enable or disable the flap-damping setting. Enabling this setting blocks the advertisement of a route until the route becomes stable. Flap damping allows the NetScreen device to contain routing instability at an AS border router, adjacent to the region where instability occurs. Command options: get, set, unset Use the hold-time commands to specify or display the maximum amount of time (in seconds) that can elapse between messages received from the BGP neighbor. Command options: get, set, unset ignore-default-route setting. Enabling this setting makes the NetScreen device ignore default route advertisements from the BGP peer router. Command options: get, set, unset
enable flap-damping
hold-time
keepalive
Use the keepalive commands to specify the amount of time (in seconds) that elapses between keepalive packet transmissions. These transmissions ensure that the TCP connection between the local BGP router and a neighbor router is up. Command options: get, set, unset Use the local-pref command to configure the LOCAL_PREF metric on a BGP router. This metric expresses preference for one set of paths over another. Command options: get, set, unset
local-pref
1HW6FUHHQ &RQFHSWV
med
Use the med commands to specify or display the local Multi-Exit Discriminator (MED) ID number. The MED determines the most suitable entry or exit point when there are multiple exit/entry points to the same neighbor autonomous system (AS). Command options: get, set, unset Use the neighbor commands to set or display general configuration parameters for the local BGP virtual router. The device uses these parameters while establishing a BGP connection to another autonomous system (AS). Command options: clear, exec, get, set, unset Use the network commands to create, display, or delete network and subnet entries. The BGP virtual router advertises these entries to peer devices, without first requiring redistribution into BGP (as with static routing table entries). Command options: get, set, unset Use the redistribute commands to import routes advertised by external routers that use protocols other than BGP, or to display the current redistribute settings. Command options: get, set, unset Use the reflector commands to allow the local BGP virtual router to serve as a route reflector. A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP neighbors (clients), thus eliminating the need for each router in a mesh to talk to every other router. The clients use the route reflector to readvertise routes to the entire autonomous system (AS). Command options: get, set, unset Use the synchronization command to enable synchronization with Interior Gateway Protocol (IGP). Command options: set, unset
neighbor
network
redistribute
reflector
synchronization
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Create BGP Instance: Enter the following, and then click OK : AS Number (required): 20 BGP Enabled: (select)
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp 20 ns(trust-vr/bgp)-> set enable ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Networks: Enter 192.168.1.0/24 in the IP/Netmask field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set network 192.169.1.0/24 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
Instead of sending individual routes for each, you aggregate them into one advertisement (192.168.10.0/24).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Aggregate Address: Enter the following, and then click OK : IP/Netmask: 192.168.10.0/24 Aggregate State: Enable: (select)
&/,
1. 2. 3. 4. 5. 6. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> unset enable ns(trust-vr/bgp)-> set aggregate ip 192.168.10.0/24 ns(trust-vr/bgp)-> set enable ns(trust-vr/bgp)-> save
([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ
1HW6FUHHQ &RQFHSWV
(QDEOLQJ 5HGLVWULEXWLRQ
When a virtual router learns about routes from other dynamic protocols (or by static configuration) it does not automatically advertise the routes to the BGP peers. You must first import the routes into the BGP protocol. To import such routes, or to display the current route redistribution settings, use the WebUI or the CLI set redistribute commands. For more information on importing route redistribution rules and on importing routes, see Route Redistribution on page 2 -74.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Redist Rules : Enter the following, and then click OK : Route Map: Corp_Office Protocol: OSPF
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set redistribute route-map Corp_Office protocol ospf ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors: Enter the following and then click Add : AS Number: 20 Remote IP: 192.4.55.4
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.4.55.4 remote-as 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.4.55.4): Select Peer Enabled , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.4.55.4 enable ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following and then click OK : Hold Time: Enable (select) Hold Time: 60
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set hold-time 60 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Note: You cannot specifically set a value for the keepalive interval through the WebUI. However, because the keepalive value is always 1/3 of the Hold Time value, by setting the Hold Time value at 60 seconds, you indirectly set the keepalive value to 20 seconds. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Hold Time Enable , type 60 in the Hold Time field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set keepalive 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Route flap damping state , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set flap-damping ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Ignore default route from peer, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set ignore-default-route ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.168.1.182): Enter the following, and then click OK : Incoming Map-Tag: 10 Outgoing Map-Tag: 15 Peer Enabled: (select)
&/,
1. 2. 3. 4. 5. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.168.1.182 route-map 10 in ns(trust-vr/bgp)-> set neighbor 192.168.1.182 route-map 15 out ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.168.1.182): Type 30 in the Weight field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.4.55.4 weight 30 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > AS Path: Enter the following and then click Add : AS Path Access List ID: 10 Permit: Permit AS Path String: ^100 Action: Add
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set as-path-access-list 10 permit ^100 ns(trust-vr/bgp)-> save
([DPSOHV 9ROXPH '\QDPLF 5RXWLQJ
1HW6FUHHQ &RQFHSWV
1HW6FUHHQ &RQFHSWV
&/, 3HHU $
&RPPXQLW\ /LVW
1. 2. 3. 4. 5. 6. 7. 8. 9. ns-> set vrouter trust-vr ns(trust-vr)->set protocol bgp ns(trust-vr/bgp)-> set community-list 1 permit 6554100 ns(trust-vr/bgp)-> exit ns(trust-vr)-> set route 10.1.1.0/24 interface ethernet3 gateway 192.128.1.254 ns(trust-vr)-> set access-list 1 ns(trust-vr)-> set access-list 1 permit ip 0.0.0.0/0 1 ns(trust-vr)-> set access-list 2 ns(trust-vr)-> set access-list 2 permit ip 10.1.1.0/24 1
5RXWH 5HGLVWULEXWLRQ
16. ns(trust-vr)-> set protocol bgp redistribute route-map Import_ACL1 protocol connected 17. ns(trust-vr)-> set protocol bgp redistribute route-map Import_ACL2 protocol static
1HW6FUHHQ &RQFHSWV
1HLJKERU
18. ns(trust-vr)-> set neighbor 172.16.1.254 send-community 19. ns(trust-vr)-> set neighbor 172.16.1.254 route-map Import_ACL2 out 20. ns(trust-vr/bgp)-> save
&/, 3HHU %
&RPPXQLW\ /LVW
1. 2. 3. ns-> set vrouter trust-vr ns(trust-vr)->set protocol bgp ns(trust-vr/bgp)-> set community-list 1 permit 6554100
5RXWH 5HGLVWULEXWLRQ
9. ns(trust-vr/bgp)-> set protocol bgp redistribute route-map Import_Comm1 protocol imported
1HLJKERU
10. ns(trust-vr/bgp)-> set neighbor 172.16.1.254 route-map Import_Comm1 in 11. ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Parameters: Type 20 in the Local Preference field, and then click OK .
&/,
1. 2. ns(trust-vr/bgp)-> set local-pref 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Type 20 in the Default MED field, and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set med 20 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Always compare med state , and then click OK .
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set always-compare-med ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following, and then click OK : Route Reflector: Enable Cluster ID: 10
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set reflector cluster-id 10 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
:HE8,
Note: To set a neighbor as a route reflector client, you must use the CLI.
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.55.4.3 reflector-client ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
&RQILJXULQJ D &RQIHGHUDWLRQ
A confederation divides an AS into smaller sub-ASs and groups them, thus reducing the number of connections inside the AS, and simplifying the routing matrices created by meshes. To create a confederation, remove a confederation, or display confederation information, use the WebUI or the CLI confederation commands.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Enter the following and then click OK : Enable: (select) ID: 200 Supported RFC: RFC 1965 Peer Member Area ID: 30
&/,
1. 2. 3. 4. 5. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set confederation id 200 ns(trust-vr/bgp)-> set confederation peer 30 ns(trust-vr/bgp)-> save Note: It is not necessary to specify RFC 1965. NetScreen BGP confederations support this RFC by default.
1HW6FUHHQ &RQFHSWV
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Type 45040 in Peer member area ID, and then click Add :
&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set confederation peer 45040 ns(trust-vr/bgp)-> save
1HW6FUHHQ &RQFHSWV
1HW6FUHHQ &RQFHSWV
,QGH[
,QGH[
%
BGP advertisements 55 aggregates 54, 59 AS path access list 54, 69 community lists 54 confederation 79 confederations 55, 78 default route 55 flap-damping 55 hold time 55 hold timer 63 keepalive 55 keepalive timer 64 local preference 55, 73 multi-exit discriminator (MED) 54, 56 neighbor 56 peer enabling 55, 62 reachable networks 56, 58 redistribution 56 route maps 67 route reflector 77 route reflectors 56, 76 synchronization 56 virtual routing instance 57 weight 68
2
OSPF adjacency 5 Area Border Router 4 area range 47 areas 3, 13 AS Boundary Router 4 authentication methods 8 backbone area 3 Backbone Router 4 backup designated router 5 broadcast networks 5 clear-text password 18, 30 configuration commands 41 context 10 cost 20 database 39 dead interval 21, 31 default route 43, 46 designated router 5 hello interval 22, 32 hello protocol 5 hello threshold 48 instance 11, 12 instances 8 interface 17 interface characteristics 9 interfaces 14 Internal Router 4 link state advertisements 7 link-state advertisements 3 link-state database 3 LSA threshold 49 MD5 password 19, 29 neighbor list 23
neighbor routers 5 network types 5 non-broadcast networks 6 Not So Stubby Area 4 overview 3 point-to-point networks 6 priority 25 retransmit interval 24, 33 RFC 1538 8 RFC 1583 50 RFC 2328 8 route redistribution 15, 38 route redistribution rules 37 routing instance, creating 11 statistics 35 stub area 4, 40 summary route 44 Totally Stubby Area 4 transit delay 26, 34 tunnel interface 42 virtual link 27, 28 VPN tunnel support 8
&
CLI conventions vii command set admin 69, 70, 75 conventions CLI vii WebUI vi
6
set commands admin 69, 70, 75
:
WebUI, conventions vi
1HW6FUHHQ &RQFHSWV
,;,
,QGH[
1HW6FUHHQ &RQFHSWV
,;,,